Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 09:48
Static task
static1
Behavioral task
behavioral1
Sample
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe
Resource
win10v2004-20240508-en
General
-
Target
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe
-
Size
4.1MB
-
MD5
a3c419f3f21ea2b1f953b6afffa93ab3
-
SHA1
fc3d57e90e505d0ea5a1194bc0d244eac6924505
-
SHA256
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef
-
SHA512
ad6f26ce3277538232654956ebe8a07148ff4e817719c123245d107abeb94833cdd21e30602decd70bf6c8806a0a4cb8b6158ff681363dd1e9682b6a026036ac
-
SSDEEP
98304:NH49zrfgobu9aDMWAg4dPDb/NQHvakIF/A8L3rqLZk5t2qZ3qL2LAZ5q:Er7OagDbOPW/F2k5tRZaLrk
Malware Config
Signatures
-
Glupteba payload 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2700-50-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/4484-130-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-215-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-216-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-217-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-218-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-219-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-220-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-221-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-222-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-223-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-224-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-225-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-226-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/3648-227-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 1564 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
csrss.exeinjector.exepid Process 3648 csrss.exe 2568 injector.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.execsrss.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe -
Drops file in Windows directory 2 IoCs
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exedescription ioc Process File opened for modification C:\Windows\rss ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe File created C:\Windows\rss\csrss.exe ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2296 powershell.exe 868 powershell.exe 1564 powershell.exe 468 powershell.exe 2196 powershell.exe 2740 powershell.exe 4180 powershell.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 8 schtasks.exe 4920 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exepowershell.exeec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepid Process 2740 powershell.exe 2740 powershell.exe 2740 powershell.exe 2700 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 2700 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4180 powershell.exe 4180 powershell.exe 4180 powershell.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 1564 powershell.exe 1564 powershell.exe 1564 powershell.exe 468 powershell.exe 468 powershell.exe 468 powershell.exe 2196 powershell.exe 2196 powershell.exe 2196 powershell.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 3648 csrss.exe 3648 csrss.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 3648 csrss.exe 3648 csrss.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe 2568 injector.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
powershell.exeec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exedescription pid Process Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2700 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Token: SeImpersonatePrivilege 2700 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe Token: SeDebugPrivilege 4180 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeSystemEnvironmentPrivilege 3648 csrss.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exeec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.execmd.execsrss.exedescription pid Process procid_target PID 2700 wrote to memory of 2740 2700 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 95 PID 2700 wrote to memory of 2740 2700 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 95 PID 2700 wrote to memory of 2740 2700 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 95 PID 4484 wrote to memory of 4180 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 105 PID 4484 wrote to memory of 4180 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 105 PID 4484 wrote to memory of 4180 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 105 PID 4484 wrote to memory of 3788 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 111 PID 4484 wrote to memory of 3788 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 111 PID 3788 wrote to memory of 1564 3788 cmd.exe 113 PID 3788 wrote to memory of 1564 3788 cmd.exe 113 PID 4484 wrote to memory of 2296 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 114 PID 4484 wrote to memory of 2296 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 114 PID 4484 wrote to memory of 2296 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 114 PID 4484 wrote to memory of 868 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 117 PID 4484 wrote to memory of 868 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 117 PID 4484 wrote to memory of 868 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 117 PID 4484 wrote to memory of 3648 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 119 PID 4484 wrote to memory of 3648 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 119 PID 4484 wrote to memory of 3648 4484 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe 119 PID 3648 wrote to memory of 1564 3648 csrss.exe 120 PID 3648 wrote to memory of 1564 3648 csrss.exe 120 PID 3648 wrote to memory of 1564 3648 csrss.exe 120 PID 3648 wrote to memory of 468 3648 csrss.exe 125 PID 3648 wrote to memory of 468 3648 csrss.exe 125 PID 3648 wrote to memory of 468 3648 csrss.exe 125 PID 3648 wrote to memory of 2196 3648 csrss.exe 128 PID 3648 wrote to memory of 2196 3648 csrss.exe 128 PID 3648 wrote to memory of 2196 3648 csrss.exe 128 PID 3648 wrote to memory of 2568 3648 csrss.exe 130 PID 3648 wrote to memory of 2568 3648 csrss.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1564
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:8
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2108
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2568
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4920
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1032,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:81⤵PID:220
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5533ad1196f0a9c4557a14a1da406ae28
SHA176fd7d6c6daed15e32077952bd161f08aa53fbd0
SHA256d303f312f9eb5c1c0a985c71c3539454632e2f5ec4811fdb68778a6225fb11f6
SHA5120750eed314a9e3f821bcefd3d642270012c45d67ef94aa30ee2cd5c91f942825fec0c34208bca58a51a04efbcd8dfefd28d1fef6394a20d5589032420e4b97a2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5660411ffc82bf6a37a0e6a02e34f2649
SHA1389956ca9ad931917ac69bfad9d14fdc8da74bb8
SHA256eb9ae1803567829b6696d3f514691320ba352efbbd4f374a99cfe941fa39bcb3
SHA5129edc2b6c04e154054e212cd840da64d4b406c0b2b8fcba7be7552597553083fd267e71d3d84ada389a1c07280544dfeb83d4d592481e89d2dddd4b9ca763dbc5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5807886f005a68a12ae4b340bd55e7b76
SHA1e33d5eb7bfdd2da757b22212ef1b10fb4d7d53a2
SHA256d3094f5c07bd7b4077cb33f98b471c396d7b37ec543e9d4025684235a0824911
SHA512d6d344a6dcd4c41260c10edf7f76b68e79769d7855f0ed23152f3c6975bb80b405abc0390a987d736ea5805e4ed90f4d4eab2223875579f8c91fc837ffc14ea4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5d3bd1cea506b53dcbf5058b4c67e1069
SHA16af2fd00afe1d3ffc84b2d9fd86ce451a378cdbc
SHA2566937687ca6b6ca9637971c2319d49acd0a8464a62795912a8c2a6e0014d77484
SHA5123076ea7cb0e7bd08190762e006c8ee3d60f5e55f957174416ab2e944f2ab19a8e7b6a84b8352aa5e89d23e930880b3250655a8488c13941cb6833808cb6f55b0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a7f12c7b0146bbf9f5da5a0ee33ef4bd
SHA1f2c9389b036bf65b60b93dc44a4651b0292466a5
SHA2561239851965780a9200ad9ae1ff6e02eaaf09f48cc54fdf2b0e5349ff646f2387
SHA512b5b97e81a548b753cc6fd0977da59df80913960870fecf730a2033f30cf5b98d1e1f3b14cd36e7d864b21d935b30ee9e368af85e4514909d128f5e6c7ee202a0
-
Filesize
4.1MB
MD5a3c419f3f21ea2b1f953b6afffa93ab3
SHA1fc3d57e90e505d0ea5a1194bc0d244eac6924505
SHA256ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef
SHA512ad6f26ce3277538232654956ebe8a07148ff4e817719c123245d107abeb94833cdd21e30602decd70bf6c8806a0a4cb8b6158ff681363dd1e9682b6a026036ac